Corporate hackers in crosshairs as Canadian tech firms launch fight for security

CP

CAMBRIDGE, Ont. - Canada's technology hub is looking to emerge as a prized fighter in the battle against corporate hackers, but one of its biggest challenges may be winning over a business community reluctant to ramp up their own protection.

A group of companies in the Waterloo, Ont. region is making headway in an industry focused on the biggest common threat to the business world consumer data and proprietary information falling into the hands of outsiders.

During the past year, massive data breaches left U.S. retailers and banks fumbling to explain how hackers stole personal information about their customers while the Canadian government took some of its systems offline to recover from attacks they claim from China.

The sheer number of infiltrations has created a huge opportunity for cybersecurity firm Esentire Inc., one of the rising stars of global corporate security, which keeps an unassuming presence at an industrial park in Cambridge, Ont., just outside Waterloo.

Last month, Esentire secured $14 million from a group of investors who want to grow the operation, open a new office building and add another 40 people to its 90 employees.

Once dedicated almost exclusively to monitoring financial services and legal firms, Esentire says it sees more opportunities to grow in thriving areas of the health care industry, as well as energy and mining.

They're not the only ones making headway this year.

I Think Security, a Waterloo startup formed in 2010, was picked as one of eight international companies for FinTech Innovation Lab Asia-Pacific to help foster security ideas for the overseas banking industry.

But while so much attention is being placed on the dangers of international hackers, it's Canadian corporations who are vulnerable, industry players suggest.

"We seem to significantly underestimate the risk to our organizations in this country," said J. Paul Haynes, chief executive of Esentire. "They're developing all the intellectual property that's supposed to be our next economy ... yet nobody is doing anything to protect it."

Ottawa has faced major security breaches at least twice this year. The Canada Revenue Agency shut down its website in April after a security flaw tied to the Heartbleed bug allowed 900 social insurance numbers to be stolen, and the National Research Council said in July it was forced to shut down its IT network after security breaches.

Statistics Canada released a study in June which showed that six per cent of the 17,000 private Canadian enterprises surveyed had experienced an Internet security breach in 2013. About a quarter of those impacted said client or proprietary information had been corrupted, stolen or accessed without permission.

A more recent survey suggests those numbers could be escalating.

Websense, a U.S.-based security company, found in an August study that more than one-third of Canada's IT professionals say they have proof they've suffered a major data breach over the previous 12 months.

The survey also found that 56 per cent of the 236 Canadian respondents believed there were more threats that went undetected.

Few companies who respond to these surveys ever mention their threats publicly, and cybersecurity experts say it's mostly from fear the revelation would scare off customers or put them on the hook for liabilities.

While companies preserve their own interests, the silence from boardrooms downplays the urgency facing Canadian cybersecurity.

"Senior executives are great at what they do, but they're not necessarily technically inclined, so they tend to delegate to their IT department," said Doug Blakey, president of Watsec, another cybersecurity firm in Waterloo that trains companies on better practices.

"They're basically closing their eyes, handing over responsibility and not applying any oversight."

However, that may change with the Digital Privacy Act, also known as Bill S-4, which is expected to go before Parliament for the second of three required readings this year. If it becomes law, it would require federally regulated businesses, as well as federal government agencies, to report significant breaches to the privacy commissioner and to customers and clients whose private information was leaked.

Tighter regulations are welcomed by the security industry, who consider it essential to ratchet up deterrents for cybercrimes.

"For the most part, we don't have teeth in the legislation, there's no penalties," said Blakey.

"We're dealing with a type of risk that, quite frankly, we've never had to deal with on the planet before. It's something that needs to be addressed."

But even federal laws probably won't stop professional hackers with the skills to monitor correspondence between executives, intercept money transfers from fund managers or steal consumer data.

Within cybersecurity circles, it's assumed the majority of these hackers execute complex breaches from outposts in Russia, Eastern Europe and China, though it's often impossible to follow the trail, and even more difficult to prosecute them in international courts.

Some headway has been made in the United States, where three years ago the Securities and Exchange Commission asked public companies to reveal cyber-breaches considered "material" to investors. The guideline has brought to light several attacks, but the argument over what's "material" still gives plenty of wiggle room for companies to stay quiet about when they've been hacked.

The security beaches that have been voluntarily disclosed by corporations are startling, but the information being left out of their regulatory filings is even more concerning.

Last month, Home Depot announced that a massive data breach put 56 million credit card numbers into the hands of hackers.

However, internal documents obtained by Bloomberg Businessweek say the hardware retailer was warned by security companies about vulnerabilities within its systems and ignored at least two smaller breaches before it was hit last summer.

And last week, U.S. financial institution JPMorgan Chase disclosed that 76 million households and 7 million businesses were affected by a data breach, but media reports suggested that, instead of targeting consumer accounts, hackers went after applications that could provide even wider access to the bank's systems in the future.

Blakey wants to see more efforts dedicated to teaching employees that everybody is a potential target.

Hackers are on the hunt for the weakest entry point and the supply chain has become one of the most popular ways to sneak into a major corporation through the backdoor.

"It's the small and medium enterprises that can be the Achilles Heel," Blakey said.

In the case of U.S. retailer Target Corp., credit and debit card information for 110 million North American customers was stolen when hackers entered the company's computer systems through a third-party heating, ventilation and air conditioning firm that remotely controlled temperature at some stores.

With hundreds of thousands of suppliers working within the corporate network, it may be impossible to prevent hacks without a combination of education and constant monitoring of computer systems.

One of the challenges is making such an intangible problem feel urgent for companies before they suffer their own data breach, Blakey said.

"We don't want to go around crying like Chicken Little that the sky is falling but, on the other hand, people are not paying enough attention," Blakey said.